8. Security Server Spnego and Form Auth Sample

This sample demonstrates how a server can be configured to accept a Spnego based negotiation from a browser while still being able to fall back to a form based authentication.

Using a user1 principal Section C.1, “Setup MIT Kerberos”, do a kerberos login manually using credentials.

$ kinit user1
Password for [email protected]:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting     Expires            Service principal
10/03/15 17:18:45  11/03/15 03:18:45  krbtgt/[email protected]
  renew until 11/03/15 17:18:40

or using a keytab file.

$ kinit -kt user2.keytab user1

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting     Expires            Service principal
10/03/15 17:25:03  11/03/15 03:25:03  krbtgt/[email protected]
  renew until 11/03/15 17:25:03

Run a server.

$ java -jar sec-server-spnego-form-auth-1.0.1.RELEASE.jar

Now you should be able to open your browser and let it do Spnego authentication with existing ticket.

[Note]Note

See Appendix E, Configure Browsers for Spnego Negotiation for more instructions for configuring browsers to use Spnego.

server:
    port: 8080
app:
    service-principal: HTTP/[email protected]
    keytab-location: /tmp/tomcat.keytab